I can't speak for Qualys, but it looks like there is a 91.13.0esr out today. Maybe that will help?

• https://www.mozilla.org/security/advisories/mfsa2022-35/
• https://www.mozilla.org/firefox/all/#product-desktop-esr

Thank you for the Reply. This doesn't help though. Is CVE-2022-36314 and CVE-2022-2505 present in ESR 91.12.

As you have seen, there is no indication in the Mozilla security alerts that Firefox 91.x is affected by the local .lnk issue. The bug report linked in the alert typically is confidential. Maybe someone who reads this thread is authorized to read it (I am not).

Thank you for the information on the local .lnk issue. Is there anyway to get someone who has authority to reply regarding this?

Btw the Fx 91.13.0 ESR Released today is the last main update for the old Fx 91.0 ESR channel as when Fx 105.0 is Released there will only be the Fx 102.3 ESR for a supported ESR version.

Thank you for the information, we did update to 91.13 and will work with the owner of the server to get ESR updated to 102.3 next month. In the meantime, I need to prove CVE-2022-36314 and CVE-2022-2505 are not present in ESR 91.12, can someone please respond with the answer to the question.

Thank You,

CVE-2022-36314 was not fixed in Firefox 91 ESR.

See:

https://bugzilla.mozilla.org/show_bug.cgi?id=1773894#c25

ESR was not affected by CVE-2022-2505.

Thank you Mike! So CVE-2022-36314 is present in ESR 91.12?

> Thank you Mike! So CVE-2022-36314 is present in ESR 91.12?

It was both complex and not a high severity issue and 102 ESR can be used.